Data protection and IT security
As a healthcare provider, Galenica attaches prime importance to protecting patient data. We ensure that this information and data is protected from unauthorised access and modifications or loss.
As the Swiss healthcare system becomes increasingly digitised, the importance of data protection and the legal requirements for data processing are also growing. Data protection entails the handling of patient data and aims to protect patients’ privacy whenever their data is processed. Health data is sensitive and must be particularly protected from the risk of unauthorised use. Data protection plays a central role in the former Retail Business sector and at HCI Solutions in particular.
Our approach to this matter
Galenica is being assisted in this important area by an external independent data protection officer. The data protection policy provides the overall framework and is supplemented by specific rules and directives for the Group companies. Furthermore, all employment contracts for staff who have access to personal data include a data protection clause. Galenica keeps up to date with the ongoing amendments to data protection legislation and conducts regular reviews, thus ensuring that legal regulations are observed and a high standard is maintained in relation to the handling of personal data.
Facts and figures
Group-wide policy in force
The data protection policy entered into force on 1 January 2020. It contains general rules on the organisation and responsibilities with regard to data protection.
Focus on revised data protection legislation
At the end of September 2020, parliament adopted a totally revised version of the Federal Data Protection Act (nDSG). The revised legislation reflects the changed technological and social environment and particularly improves the transparency of data processing and data subjects’ rights of self-determination with respect to their personal data. The revised data protection legislation includes numerous amendments to bring it into line with the European General Data Protection Regulation (EU GDPR). Galenica is observing these ongoing developments and determining the extent to which adjustments are necessary.
Outlook for 2021
Consultations on the amendment of the Data Protection Ordinance will be commencing in 2021. The Legal Department is assessing the current situation at Galenica for the purposes of data protection legislation and implementing the statutory requirements. In addition, it is continuing to observe practices in connection with the EU GDPR.
IT security and cybercrime
As the digital transformation of the healthcare system progresses, there is also a mounting risk of cyberattacks. For this reason, IT security is highly relevant for Galenica. As a healthcare service provider, Galenica processes sensitive information and data. It ensures that this information and data is protected from unauthorised access and modifications or loss. In the case of the logistics companies and pharmacies, protection of the IT systems plays a decisive role in ultimately ensuring reliable supplies for the general population. People are one of the greatest risk factors in connection with cybercrime as many cyberattacks are targeted at employees, e.g. in the form of fake e-mail messages.
Our approach to this matter
The IT security staff in the IT departments of the Galenica Group companies are responsible for the security of their own IT systems. At the Group level, IT security is coordinated by an IT security officer, who in particular chairs the IT Security Circle, which is composed of the IT security staff of the IT departments of all the Galenica Group companies. The Circle meets on a quarterly basis and advises on and coordinates information and IT security precautionary measures, which the members then put into practice at their own companies.
Clear guidelines regulate operations
The IT security policy defines the information and IT security objectives, the powers and responsibilities and the principles of IT security for the Galenica Group. It applies to all Galenica Group companies and forms the basis for all written IT security instructions. In addition, the IT utilisation rules set out the rules of conduct for the use of IT resources, such as the use of private devices, mobile working or working from home. Finally, the IT security manual is targeted at employees in the IT departments and sets out the requirements for secure IT operations.
Heightened employee awareness
All employees must contribute to ensuring information and IT security. In addition to taking technical precautions, Galenica promotes security awareness on the part of all employees by means of specific e-learning modules and Intranet news. Right from their very first day, new employees are familiarised with the main elements of the IT utilisation rules.
Facts and figures
Security monitoring system rolled out
Galenica conducted a comprehensive IT security audit in 2019. In the year under review, the IT departments adopted a large number of measures in response to the findings from the audit. Among other things, a security monitoring system that oversees all systems and sounds an alarm in the event of any irregularities was rolled out. In addition, personnel resources for IT security were increased.
Employees kept regularly informed on IT security
In the year under review, Galenica stepped up internal communications on IT security and cybercrime. The newly assembled IT communications team regularly published news on IT and security matters on the Intranet, organising an interactive competition on this subject. The purpose of these two activities was to draw employees’ attention to possible risks and to heighten their awareness of the need for greater IT security. As well as this, the second training module on information security was held in 2020. Of the 1,563 employees asked to attend, 85% completed the training.
Outlook for 2021
With the introduction of the new organisational and management structure, the IT departments of the individual companies were combined under the new IT & Digital Services Service Unit in 2021. Accordingly, IT security will be handled centrally in the future. In addition, the e-learning modules of information security for employees were revised.